This patch implements the -u and -g options for lxc-attach that allows
the user to ask for a specific user and group id when attaching to a
container.

NOTE: DO NOT APPLY THIS PATCH JUST YET, THERE ARE SECURITY IMPLICATIONS
THAT HAVE TO BE CONSIDERED BEFORE DOING SO. THIS IS JUST A DRAFT.
---
 src/lxc/lxc_attach.c |   52 +++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 1 deletion(-)

diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
index 6095b54..d39f5db 100644
--- a/src/lxc/lxc_attach.c
+++ b/src/lxc/lxc_attach.c
@@ -26,6 +26,7 @@
 #include <errno.h>
 #include <pwd.h>
 #include <stdlib.h>
+#include <limits.h>
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -55,6 +56,8 @@ static const struct option my_longopts[] = {
        {"arch", required_argument, 0, 'a'},
        {"namespaces", required_argument, 0, 's'},
        {"remount-sys-proc", no_argument, 0, 'R'},
+       {"uid", required_argument, 0, 'u'},
+       {"gid", required_argument, 0, 'g'},
        LXC_COMMON_OPTIONS
 };
 
@@ -62,10 +65,13 @@ static int elevated_privileges = 0;
 static signed long new_personality = -1;
 static int namespace_flags = -1;
 static int remount_sys_proc = 0;
+static long requested_uid = -1;
+static long requested_gid = -1;
 
 static int my_parser(struct lxc_arguments* args, int c, char* arg)
 {
        int ret;
+       char *endptr;
 
        switch (c) {
        case 'e': elevated_privileges = 1; break;
@@ -85,6 +91,24 @@ static int my_parser(struct lxc_arguments* args, int c, 
char* arg)
                /* -s implies -e */
                elevated_privileges = 1;
                break;
+       case 'u':
+               endptr = NULL;
+               requested_uid = strtol(arg, &endptr, 10);
+               if (requested_uid < 0 || requested_uid == LONG_MAX ||
+                   !endptr || *endptr || !*arg) {
+                       lxc_error(args, "invalid user id specified: %s", arg);
+                       return -1;
+               }
+               break;
+       case 'g':
+               endptr = NULL;
+               requested_gid = strtol(arg, &endptr, 10);
+               if (requested_gid < 0 || requested_gid == LONG_MAX ||
+                   !endptr || *endptr || !*arg) {
+                       lxc_error(args, "invalid group id specified: %s", arg);
+                       return -1;
+               }
+               break;
        }
 
        return 0;
@@ -116,7 +140,10 @@ Options :\n\
                     Remount /sys and /proc if not attaching to the\n\
                     mount namespace when using -s in order to properly\n\
                     reflect the correct namespace context. See the\n\
-                    lxc-attach(1) manual page for details.\n",
+                    lxc-attach(1) manual page for details.\n\
+  -u, --uid=UID     setuid(UID) when entering the container\n\
+  -g, --gid=GID     setgid(GID) when entering the container\n",
+  
        .options  = my_longopts,
        .parser   = my_parser,
        .checker  = NULL,
@@ -425,6 +452,12 @@ int main(int argc, char *argv[])
                         */
                        (void) lxc_attach_get_init_uidgid(&init_uid, &init_gid);
 
+                       /* if the user whished for different credentials, use 
them */
+                       if (requested_uid != -1)
+                               init_uid = (uid_t) requested_uid;
+                       if (requested_gid != -1)
+                               init_gid = (gid_t) requested_gid;
+
                        /* try to set the uid/gid combination */
                        if (setgid(init_gid)) {
                                SYSERROR("switching to container gid");
@@ -434,6 +467,23 @@ int main(int argc, char *argv[])
                                SYSERROR("switching to container uid");
                                return -1;
                        }
+               } else {
+                       /* by default, with no user namespaces, we don't need
+                        * setgid()/setuid(), but we should use them if 
explicitly
+                        * requested
+                        */
+                       if (requested_gid != -1) {
+                               if (setgid((gid_t) requested_gid)) {
+                                       SYSERROR("switching to container gid");
+                                       return -1;
+                               }
+                       }
+                       if (requested_uid != -1) {
+                               if (setuid((uid_t) requested_uid)) {
+                                       SYSERROR("switching to container uid");
+                                       return -1;
+                               }
+                       }
                }
 
                if (my_args.argc) {
-- 
1.7.10.4


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Reply via email to